Implantable cardioverter defibrillators (ICDs) made by Medtronic are insecure, says the Department of Homeland Security’s CISA team. Exploitation is trivial, possible outcomes include the death of the patient.
And wouldn’t you know it, Medtronic knew about the problem for more than a year. Basically, wireless commands can completely reprogram the devices; there’s no authentication and no encryption.
“Are you serious?” you ask. In today’s SB Blogwatch, we’re as serious as a heart attack.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 277,777,788,888,899.
ICD IoT CVEs
What’s the craic? Shaun Nichols rings the alarm—your implanted defibrillator can be hacked over the air:
Medical gear maker Medtronic is once again at the center of a hacker panic storm.
This time, a number of its heart defibrillators, implanted in patients’ chests, can … be wirelessly hijacked and reprogrammed, perhaps to lethal effect. … Medtronic’s wireless communications system Conexus … exchanges data between implanted devices and their control units over the air … with a range of roughly 25 feet.
CVE-2019-6538 can be potentially exploited by an attacker to meddle with data flying between the device and its controller. The Conexus protocol does not include any checks for … tampering, nor performs any form of authentication. … [It] allows a nearby miscreant … to send commands to the implanted cardiac device that reads or writes memory … perhaps even ultimately killing the patient.
CVE-2019-6540, addresses the lack of encryption. This means an attacker … can listen in on the data … and spy on the patient’s condition.
This isn’t the first time Medtronic has made headlines for its lapses in security. Last year, researchers reported a similar issue [with its] pacemakers … using insecure channels to download their firmware updates.
And Dan Goodin pens “Critical flaw lets hackers control lifesaving devices implanted inside patients”:
Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. … Doctors have increasingly used radios to monitor and adjust the devices.
The researchers privately notified Medtronic of the critical vulnerability in January 2018. … The [CISA] advisory rated the severity at 9.3 out of a possible 10 points and said it required low skill to exploit.
That does not sound good. CISA advises this bone-dry Medical Advisory (ICSMA-19-080-01):
Successful exploitation … may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the … RF communication of the Medtronic … telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires:
(1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR);
(2) to have adjacent short-range access to the affected products; and
(3) for the products to be in states where the RF functionality is active.
Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods … to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.
No known public exploits specifically target these vulnerabilities.
What does the company have to say for itself? Although the U.S. government says exploiting requires “low skill,” the PR drawer statement claims otherwise:
Even though an unauthorized user may be able to access the Conexus telemetry, that access does not [grant] the ability to control or change the settings of an implanted heart device. Fully exploiting these vulnerabilities requires comprehensive and specialized knowledge of medical devices, wireless telemetry and electrophysiology.
Medtronic recommends that patients and physicians continue to use devices as prescribed and intended. The benefits of remote monitoring outweigh the practical risk. … Patients with concerns about these cybersecurity vulnerabilities should discuss these concerns with their physician.
Who is to blame? Derek DeWeese does not mince his words:
This is the exact kind of nightmare scenario that every security researcher the world over has been warning about for years. If you, as a manufacturer, put a radio transceiver on a device, you simply MUST use strong encryption and secure authentication.
Anything less should be considered criminal negligence and prosecuted to the fullest extent of the law.
And a slightly sweary JustAnotherOldGuy agrees:
It goes well beyond negligence. … People need to go to prison for releasing insecure pieces of **** like this onto the market and for allowing them to be implanted in people.
I’m always astounded that NO ONE paid the slightest thought to hardening or securing these kinds of devices. … ****ing mind-boggling.
But this equally sweary Anonymous Coward isn’t as astounded:
Nobody gives a **** about quality, security or reliability. The ****heads in charge want cheap outsourced morons, to maximise their bonuses.
All execs are parasites leeching off the company for their own worth. Their mindset is **** the users of the software, even if its (sic) so bad it can kill you.
Meanwhile, is that déjà vu I feel? We’ve seen this plot before, notes MiguelC:
It was used in an episode of Homeland in 2012.
2012? Seems more recent than that. mrbester solves the mystery:
The Cryptobanker (The Blacklist season 6 episode 10). Aired [two weeks] ago.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.